USBDeviceHistory

1.0.1

USBDeviceHistory.psm1

                                <#

.Synopsis

This module queries a series of registry keys for information about USB devices that have been inserted into the computer.  In addition, the System EventLog is queried for EventIDs 20003 and 20001.

The resulting information can be either saved to reports in $HOME\Desktop\Get-USBHistory_Out\ (using the -OutputToReport parameter), displayed on the console (using the -OutputToConsole parameter), or both.  

Written by vasken@ucr.edu

.Parameter OutputToConsole

This parameter is useful when piping the data to another cmdlet like Select-String

.Parameter OutputtoReport

This parameter can be used to save the output of Get-USBDeviceHistory to a set of two files in $HOME\Desktop\Get-USBHistory_Out\

.Description

Return list of USB devices through registry and EventLog querying.

.Example

Get-USBDeviceHistory -OutputToReport

.Example

Get-USBDeviceHistory -OutputToConsole

.Example

Get-USBDeviceHistory -OutputToReport -OutputToConsole

#>

function Get-USBDeviceHistory

{

    [CmdletBinding()]

    param(

        [Switch]$OutputToReport,

        [Switch]$OutputToConsole,

        [String]$LogFile ='c:\Get-USBDevices_errors.txt'

        )

    begin 

        {

         $Style = "<style>"

         $Style = $Style + "BODY{background-color:white;}"

         $Style = $Style + "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}"

         $Style = $Style + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:aquamarine;}"

         $Style = $Style + "TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:gainsboro;}"

         $Style = $Style + "</style>"

         Get-RegistryKeys $OutputToReport $OutputToConsole $Style;

         Get-EvtxRecords $OutputToReport $OutputToConsole $Style;

        }

    process{}

    end{}

}

function Get-RegistryKeys($r, $c, $s)

{

        ${enum usb} = Get-ChildItem  -ErrorAction SilentlyContinue "hklm:\SYSTEM\CurrentControlSet\Enum\USB\*\*"  

        ${mounted devices} = Get-ItemProperty "hklm:\SYSTEM\MountedDevices\"

        ${mount point 2} = Get-ChildItem  -Recurse -ErrorAction SilentlyContinue "hkcu:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2"

        ${usbstor} = Get-ChildItem  -Recurse -ErrorAction SilentlyContinue "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpResources\Registry\HKLM\System\CurrentControlSet\Control\usbstor"

        ${emdmgmt} = Get-ChildItem  -Recurse -ErrorAction SilentlyContinue "hklm:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt"

        ${portable devices} = Get-ChildItem  -recurse -ErrorAction SilentlyContinue "hklm:\SOFTWARE\Microsoft\Windows Portable Devices\Devices"

        ${device migration} = Get-ChildItem  -recurse -ErrorAction SilentlyContinue "hklm:\SYSTEM\ControlSet001\Control\DeviceMigration\Devices\USB"

        ${usbstor 2} = Get-ChildItem  -Recurse -ErrorAction SilentlyContinue "hklm:\SYSTEM\ControlSet001\Control\DeviceMigration\Devices\USBSTOR"

    if($r)

    {  

        $e = New-Item $HOME\Desktop\Get-USBHistory_Out -Type Directory -Force 

        ${enum usb} | ConvertTo-Html -head $s | Out-File $e\enum_usb.html

        ${mounted devices} | Get-Member -MemberType NoteProperty | ConvertTo-Html -head $s | Out-File $e\mounted_devices.html

        ${mount point 2} | ConvertTo-Html -head $s | Out-File $e\mount_point_2.html

        ${usbstor} | ConvertTo-Html -head $s | Out-File $e\usb_stor.html

        ${emdmgmt} | ConvertTo-Html -head $s | Out-File $e\emdmgmt.html

        ${portable devices} | ConvertTo-Html -head $s | Out-File $e\portable_devices.html

        ${device migration} | ConvertTo-Html -head $s | Out-File $e\device_migration.html

        ${usbstor 2} | ConvertTo-Html -head $s | Out-File $e\usbstor.html

    }

    if($c)

    {  

        ${enum usb},${mounted devices},${mount point 2},${usbstor},${emdmgmt},${portable devices},${device migration},${usbstor 2}  | Format-List  | Out-String | Write-Host

    }

}

function Get-EvtxRecords($r, $c, $s)

{

    if($r)

    {   $e = Get-Item $HOME\Desktop\Get-USBHistory_Out

        Get-EventLog -LogName System | Select -Property EventID,TimeWritten,TimeGenerated, Message, UserName | Where EventID -eq 20003  | ConvertTo-Html -head $s | Out-File $e\evtx_2003_out.html

        Get-EventLog -LogName System | Select -Property EventID,TimeWritten,TimeGenerated, Message, UserName | Where EventID -eq 20001  | ConvertTo-Html -head $s | Out-File $e\evtx_2001_out.html

    }

    if($c)

    {  

        Get-EventLog -LogName System | Select -Property EventID,TimeWritten,TimeGenerated, Message, UserName | Where EventID -eq 20003 | Format-List

        Get-EventLog -LogName System | Select -Property EventID,TimeWritten,TimeGenerated, Message, UserName | Where EventID -eq 20001 | Format-List

    }

}